CVE-2022-28144

Name of the Vulnerable Software and Affected Versions Jenkins Proxmox Plugin version 0.7.0 and earlier

Description The issue allows attackers with Overall/Read permission to connect to a specified host using a specified username and password, and perform a connection test. This also enables them to disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test, and test a rollback with specified parameters.

Recommendations For Jenkins Proxmox Plugin version 0.7.0 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the lack of permission checks in several HTTP endpoints. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin for connection tests until the issue is resolved.